Online Safety Bill Is Official. Now We See What Enforcement Looks Like
After being discussed for years and years, the Online Safety Act in the UK is now law, after receiving royal assent" last week. Hilariously, the UK's announcement declared that children and adults will now be safer online, as if that's absolutely true. It's not, though. The law includes many provisions that will make both children and adults less safe, including age verification (a privacy nightmare), potential limits on encryption, and tools that can lead to the suppression of important speech. What the law actually does is let the political class claim they made the internet safer, without actually doing so.
The Office of Communications (Ofcom), the agency in charge of enforcement (which is a very different role than it has had historically, where it has generally been roughly equivalent to our FCC), has announced that it is moving to implement the law. Over the last few years, I know that Ofcom has staffed up quite a lot in preparation for this, but it's still not clear how it will actually work.
Throughout the process, every time people pointed out the many, many, many problems with how the law was written, people would say that Ofcom was a more friendly" regulator, and one that would take a more collaborative approach to enforcing the Online Safety Act, rather than the aggressive crackdown that some feared.
Of course, even if true, that also leaves Ofcom with a tremendous amount of discretion, which itself can be abused. And frankly, even with the various changes, the final version of the bill remains a complete mess.
It's so stupid that to get the bill over the finish line, the government basically had to say that it wouldn't even enforce the part of the law that effectively would outlaw encryption, even though that section of the law remains in place. In other words, it's all about discretion, and that will depend heavily on who is running Ofcom.
But the encryption stuff is hardly the only problematic aspect of the Online Safety Act. There are still issues regarding age verification, duties of care, transparency mandates, and more - each of which has a tremendous amount of nuance, and where the details of the implementation matter quite a bit.
While the EU is still starting to figure out how the DSA will work in practice, now the UK will have to figure out how the Online Safety Act will work, and so there are now two different, equally confusing and questionable approaches on that side of the Atlantic, both of which are likely to lead to the suppression of protected speech if only due to the chilling effects of the way these laws have been written.
For what it's worth, I don't doubt that those running Ofcom now honestly do believe that they will be the more friendly" regulator on these issues. I just don't think it's likely to remain that way over the long haul. And I can't see how this will do anything good for the internet startup scene that had been growing up in and around London, which will now face a potentially catastrophic compliance regime to deal with.